Category: Fraud

New Fraud Statistics

Sometimes it’s hard to believe these statistics, the numbers are so large. The Australian Bureau of Statistics has finished their first survey of personal fraud. Their findings are that 800,000 Australians fell victim to fraud in some way.

453,100 of those lost money, for a total of $977 million. That’s a lot of people and a lot of money for a rather small population.

329,000 Australians lost money after responding to lottery scams and other phishing related scams.

A lot of people keep falling for scams. The best thing you can do is help them become aware of what scams and fraud tricks are being used. Remember that you can always subscribe to Fraudo.com by email or with an RSS reader.

SMS Death Threat Scam

There’s a new scam being sent by SMS, similar to an email one sent recently. The SMS reads:

Someone paid me to kill you. If you want me to spare you, I’ll give you two days to pay $5000. If you inform the police or anybody, you will die, I am monitoring you.

The SMS also includes payment details and an email address.

This is a scam, do not contact the sender or send any money. The Australian Police have issued a warning about this. They also mention that money being paid by victims is being transferred to Thailand.

Let friends and family know about this scam so that they don’t fall victim to it.

Update: (23 July 2012)

It looks like this scam is going around again. It’s pretty much the same as before, and apparently hundreds of people have been scared enough to call 000 (Australia’s emergency number). Again, it’s a scam. Don’t respond to the message, don’t forward it, and don’t send any money. This type of scam is commonly called a hitman scam.

The SMS sometimes uses the following spelling:

Sum1 paid me to kill you. get spared, 48hrs to pay $5000. If you inform the police or anybody, death is promised … E-mail me now: killerking247@yahoo.com.

 

Advanced Fee Fraud on LinkedIn

The Advanced Fee Fraud is also known as a 419 scam. This is an old and still very popular scam whereby someone who is either a foreigner or is posing as a foreigner asks a stranger for help transferring large amounts of money. They promise a large compensation in return, and ask for some money to get things started. It sounds simple and a lot of people fall for this.

business card LinkedIn is a social networking site, much like FaceBook and MySpace. LinkedIn is mostly used by professionals, i.e. adults with bank accounts and who have money. This would make a good target for a scammer.

It’s been reported that these advanced fee frauds have been appearing on LinkedIn recently. Users of the service are being too trusting of the community and scammers are taking advantage of this.

If you use any social networking site please be aware of people trying to scam money using these ploys. Read up on how this scam works and let other people know about it.

St George Bank Phishing Emails

Phishing emails are very common these days. Below is a common phishing email from a local bank. Keep in mind that the same technique is used with most banks these days. Spelling and grammatical mistakes usually give them away (although this example is pretty good), and read the end of this article for the best ways to tell a phishing email from the real thing.

An email arrives with a topic “Verify Your Phone Number“. Emails asking people to verify something can be eye catching, and add a sense of urgency. Below are the contents of the email:

Dear customer!

St.George Bank Limited is constantly working to improve the account security of our customers. In order, to ensure the integrity and security of our online banking system, we periodically review accounts. We were unable to contact you by phone during the last check, so please verify the information at your account file and make sure it is right.

Please, verify your account information by following the link.
Click here for verification: https://ibank.stgeorge.com.au/verify/

The next verification will be done soon, invalid account information will result in your account being placed to restricted status.

Customer Service
St.George Bank Limited
http://stgeorge.com.au/

Some things you should keep in mind:

  • Banks shouldn’t be trying to contact you by email (although sadly some still do)
  • Banks rarely need to verify anything
  • The links in the email are false

What would happen if you clicked on the links provided in the email? They look geuine enough.

In most email clients when you put the mouse pointer over the link and wait a second, you’ll see the real link. That’s right, the way email works is someone can display a link that looks like a bank site’s address but in fact it can go somewhere completely different. Maybe the technology behind emails should be changed to make this impossible.

In this case the links point to a site called stgeorgeverify dot com. Again this might fool some people because it has the bank’s name in the address, but it’s not the bank’s address. It’s a phishing site designed to let customers type in their bank details so that scammers can sell the information on the black market (and eventually so that money can be stolen from bank accounts).

There’s very little regulation in domain names (web addresses). It’s easy for someone to register a domain name that looks like a bank’s site. Even if it has one additional or different letter it’s enough for anyone to register. And when someone registers a new domain name they can make it do whatever they like. Technically it’s a new site (even though the name looks similar to a legitimate site).

So when you receive emails from important organisations, such as from your bank, don’t ever click on the links. Go to the bank’s web site by typing its address into a web browser. Because the links in emails can be misleading.

For further reading see our article on how domain names work, and another detailed example of phishing.

Chinese Domain Scam

A recent scam email uses the following technique:

  • Great Wall of ChinaThe scam email has a long story (see below) mentioning your web site name (which could be your business name or trade mark)
  • It mentions that someone else is interested in registering a web site with your web site’s name
  • The scam offers to sell you a .cn domain name (.cn is the top level domain for China)

Below is a sample of this scam email:

Dear Sir

We received a formal application from a company who is called Meiao Investment Co.,Ltd are applying to register “—” as their domain name and Internet keyword in China and also in Asia on Apr 17 2008. During our auditing procedure we find out that the alleged Meiao Investment Co.,Ltd has no trade mark, brand nor patent even similar to that word. As authorized anti-cybersquatting organization we hereby suspect the alleged Meiao Investment Co.,Ltd to be a domain grabber. Hence we need you confirmation for two things,

First of all, whether this alleged Meiao Investment Co.,Ltd is your business partner or distributor in China.

Secondly, whether you are interested in registering these domains. (The alleged Meiao Investment Co.,Ltd will be entitled to obtain a domain not needed by original trademark owner.)

If you are not in charge of this please transfer this email to appropriate dept.

This is a letter for confirmation. If the mentioned third party is your business partner or distributor in China please DO NOT reply. We will automatically confirm application from your business partner after this audit procedure.

Bst Rgs
chenllychen
Registration Commissioner
Beijing HA ZD Networks Science and Technology Co., Ltd
Tel: +86-10-82772601
Fax: +86-10-82773610
Email: chenlly.chen@ha-zd.com
http://www.ha-zd.com.cn

There are quite a few variations to this email, the concept is the same. Don’t reply to these emails and certainly don’t buy domain names from them. It’s just another scam. If you really want a Chinese domain name buy one from a reputable registrar.

MasterCard 16% Scam

A fake promotional email, claiming to be from MasterCard SecureCode, offers a 16% discount on all purchases. This could be enough to tempt readers to sign up on the fake web site.

discount The email has a link to a web site that has been made to look the same as MasterCard’s web site with a form to sign up. The personal details entered here end up going to a scammer. Personal details including your credit card’s number, expiry date, 3 digit security code, and your date of birth.

If you receive an unsolicited email offering 16% discounts just delete it. And don’t click on links in these emails, instead go to a web browser and type in the address you need.

Microsoft Certificate Enrolment Code

There’s a new phishing trick that involved the user downloading a security certificate. It’s been spotted on a fake Bank of America web site. When this fake page is accessed the user is asked to create a digital certificate.

US money The control is downloaded to the PC using Microsoft Certificate Enrolment Code. This ads a false sense of security for users.

The next step on the web site asks users to download a file called sophialite.exe This is a malicious program.

So if you end up at a web site that looks like the Bank of America pay close attention to the address shown in your web browser, make sure it’s exactly right.

Credit Card Black Market

Where do stolen credit card numbers go?

One place is a web site called SellCVV2. Recently credit card details were discovered being sold on this site. Prices range from US$38 for a small set of credit card details.  This is a fairly professional service offering guarantees and volume discounts on the stolen information.

It now seems that the site’s illegal contents have been cleared out since this information was made public. This doesn’t mean that the black market for stolen credit card numbers has disappeared, it’s only moved to another place.

sellcvv2 
This is how the site appears now.

Vishing

Vishing is short for voice phishing. This involves tricking someone into calling a phone number, listening to a recorded message, then being tricked into providing personal information to the phone service.

phoneWhy would someone want to set this up? To collect your personal information, such as credit card number, its expiry date, your date of birth, PIN codes, etc. That information is then either sold on the black market or used by the scammers to steal or spend your money (this is also called identity theft).

Setting up an automated phone system like the ones described here is fairly easy these days, and fairly cheap.

Do people fall for it? Oddly enough, yes. Hopefully by now everyone’s getting the message not to trust strange web sites on the internet. But less obvious methods such as automated phone services are easily forgotten.

Anti virus software can’t stop you making a phone call. And people can be more trusting of “old fashioned” technology such as phones.

How does it work in practice? Here’s a summary of a recent vishing attempt.

  1. Emails are sent in bulk to as many people as possible.
  2. The emails have forged headers to appear to come from service@irs.gov
  3. The email contains an important looking message. Note that it doesn’t have any links to click on, instead it gives a phone number.
  1. Internal Revenue Service Tax Refund

    After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $215.

    Tax Refund Number: <number here> – Will Expire on <date here>

    Attention!

    Tax refunds can be sent only to VISA or Mastercard DEBIT CARDS.

    To receive your tax refund please call the IRS Tax Refund Department at: 602-427-59x

    Internal Revenue Service

  • The reader takes an interest because of the offer for free money (who wouldn’t!) and calls the number shown.
  • Because the email already warned people they need a VISA or Mastercard card to receive payment they would be more willing to provide the card’s details.

    • Tips to avoid this scam:

    • A good anti virus package will detect fraudulent emails such as the one above and filter them out, so invest in one if you haven’t already.
    • In a company (small or large) invest in mail filtering. This is usually not included in corporate anti virus software.
    • Think carefully why you received this email. Did you really lodge a tax submit a tax return recently, and in the country the email says it’s from? (e.g., if you live in USA and receive an email offering a tax refund from Australia, it’s most probably a scam).
    • Does your country’s tax department even have your email address? If you didn’t give it to them then why are you receiving this email?
    • Don’t blindly dial the number shown in the email. Look them up in your local phone book.

    This isn’t limited to tax refunds. Other vishing variations may appear to be from banks or other financial institutions.

    Another variation of this scam is to send people an SMS instead of an email, with a shorter version of the message above. Treat SMS’s like you would treat emails. Note: it’s also easy to forge SMS’s to appear to come from other people.

    Automated voice systems can also initiate phone calls with fake caller IDs. The technology’s easily available. VoIP systems are even easier to set up.

    The potential to trick people into handing over personal details is just as easy using phones as it is using emails and web pages.